File: sec-ch1.htm

package info (click to toggle)
aolserver 3.4.2-1
  • links: PTS
  • area: main
  • in suites: woody
  • size: 22,692 kB
  • ctags: 33,612
  • sloc: ansic: 171,340; tcl: 10,218; sh: 3,821; cpp: 2,779; makefile: 2,041; yacc: 1,648; perl: 456; php: 13
file content (157 lines) | stat: -rw-r--r-- 8,459 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
 
<HTML><HEAD>
<TITLE>Security Guidelines -- High Priority Security Modifications</TITLE>
<LINK rel=Previous href="sec-ch.htm">
<LINK rel=ToC href="toc.htm">
<LINK rel=Index href="master.htm">
<LINK rel=Next href="sec-ch2.htm">
</HEAD><BODY BGCOLOR="#ffffff"><A NAME="topofpage"></A>
<TABLE WIDTH=100%>
  <TR>
    <TD ALIGN=LEFT>
      <A NAME="topofpage"></A> <IMG  SRC="as-c-sm.gif">
    </TD>
    <TD ALIGN=RIGHT>
      <A href="sec-ch.htm"><IMG  BORDER="0" src=navbprev.gif alt="[ Previous ]"></A>
      <A href=toc.htm> <IMG  BORDER="0" src=navbhome.gif alt="[ Contents ]"></A>
      <A href=master.htm> <IMG  BORDER="0" src=navbhelp.gif alt="[ Index ]"></A>
      <A href="sec-ch2.htm"> <IMG  BORDER="0" src=navbnext.gif alt="[ Next ]"></A>
      <A name="7983"> </A>
    </TD>
  </TR>
</TABLE>

<a name="8608">
</a><h3>High Priority Security Modifications</h3>
<p><a name="8609">
</a>Take the actions described in this section to ensure the security of systems running AOLserver.</p>
<a name="8610">
</a><h4>Setup Server nsadmin Password</h4>
<a name="8611">
</a><i>Versions prior to 3.0:</i>
<p><a name="8612">
</a>The default Setup Server has either no nsadmin password or a poor nsadmin password. You must set an acceptable password for the Setup Server nsadmin account as described below.</p>
<p><a name="8613">
</a>In the <b>nsd.ini </b>configuration file, a Password line should appear in the [ns/setup] section as shown below:</p>
<pre>    <a name="8614"></a><code>[ns/setup]
</code>    <a name="8615"></a><code>Password=XXXXXXXXXXXXX
</code></pre><p><p><a name="8616">
</a>The <code>XXXXXXXXXXXXX</code> value is the hashed password string. It should be 13 characters long. </p>
<p><a name="8617">
</a>If this line is missing, or if there is a blank password value, no password is set for the Setup Server nsadmin account. Set a password by either manually entering a hashed password into the <b>nsd.ini</b> file, or by accessing the following URL on your web server:</p>
<pre>    <a name="8618"></a><code>http://</code><i>server-name</i><code>.com:XXXX/NS/Setup/SetupVS
</code></pre><p><p><a name="8619">
</a>where:</p>
<p><a name="9752">
</a><code>XXXX</code> is the port your Setup Server is running on.</p>
<a name="8621">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8622">
</a>The Setup Server does not exist. No action is necessary.</p>
<a name="8633">
</a><h4>Execution as Root</h4>
<a name="8634">
</a><i>Version prior to 3.0:</i>
<p><a name="8635">
</a>AOLserver can be set to run as root. Disable this capability as described below.</p>
<p><a name="8636">
</a>If the AllowRoot parameter entry exists in your <b>nsd.ini</b> configuration file, either remove it or set it explicitly to Off as shown below:</p>
<pre>    <a name="8637"></a><code>[ns/parameters]
</code>    <a name="8638"></a><code>AllowRoot=Off
</code></pre><p><p><a name="8639">
</a>By default, AOLserver does not enable the AllowRoot parameter.</p>
<a name="8640">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8641">
</a>AOLserver cannot be set to run as root. No action is necessary.</p>
<a name="8642">
</a><h4>General nsadmin Passwords</h4>
<p><a name="8643">
</a>By default, the nsadmin password for AOLserver is either set to NULL or to a poor password. Set an acceptable password for nsadmin as described below.</p>
<a name="8645">
</a><i>Versions prior to 3.0:</i>
<p><a name="8646">
</a>You can set the nsadmin passwords for virtual servers at this URL:</p>
<pre>    <a name="8647"></a><code>http://</code><i>virtual-server</i><code>.com/NS/PermAdmin
</code></pre><p><p><a name="8648">
</a>Edit the nsadmin account and add an acceptable password. Set a password for each virtual server running. </p>
<a name="8649">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8650">
</a>Edit the nsadmin entry in the <b>/modules/nsperm/passwd</b> file. For example, the default <b>passwd</b> file contains this nsadmin entry: </p>
<pre>    <a name="8651"></a><code>nsadmin:CUdnvgBYocLSI:::::
</code></pre><p><p><a name="8652">
</a>Substitute an alternate encrypted password in place of <code>CUdnvgBYocLSI</code>. </p>
<p><a name="8653">
</a>To encrypt a password, you can copy an already-encrypted password from the <b>/etc/passwd</b> file or run the <b>bin/nspasswd</b> utility. It will prompt you for a password and return the encrypted version of the password.</p>
<p><a name="9638">
</a>For more information about the <b>passwd</b> file, see the <a href="acc-ch2.htm#23477">"Defining Users" section</a>.</p>
<a name="8654">
</a><h4>Permission Settings</h4>
<p><a name="8655">
</a>It is more secure to avoid using the nsperm module and use file-level security for ADPs. If you must use the nsperm module, set appropriate permissions records as follows:</p>
<ul><li>Restrict GET, PUT, and POST access for the /NS URLs to the nsadmin user.<a name="8656">
</a>
<p><li>Maintain the same permission records for GET and POST; they actually provide the same permissions.<a name="8657">
</a>
<p><li>Remove any permission records related to network publishing (PUT, DELETE, MKDIR, and BROWSE) for all users except nsadmin.<a name="8658">
</a>
<p><li>Keep in mind the inheritance rules for permission records. In general, a permission record for a directory also applies to the directories underneath it.<a name="8660">
</a>
<p></ul><a name="8661">
</a><i>Versions prior to 3.0:</i>
<p><a name="8662">
</a>Visit this URL to change the permissions for each virtual server:</p>
<pre>    <a name="8663"></a><code>http://</code><i>virtual-server</i><code>.com/NS/PermAdmin
</code></pre><p><a name="8664">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8668">
</a>To define AOLserver permissions, create permission entries for them in the <b>perms</b> file, which resides in the <b>/modules/nsperm</b> directory. The default <b>perms</b> file does not contain any permission entries, but it contains comments that explain how to add entries to the file.</p>
<p><a name="9645">
</a>For more information about setting permissions, see the <a href="acc-ch2.htm#2882">"Permissions" section</a>.</p>
<a name="8669">
</a><h4>Tcl Evaluation</h4>
<p><a name="8670">
</a>The Tcl evaluation feature, accessed by the /NS/EvalTcl URL, allows an administrator to execute Tcl commands remotely on AOLserver.  Disable the /NS/EvalTcl capability from AOLserver versions 2.2.1 and higher as described below.</p>
<a name="8671">
</a><i>Versions prior to 3.0:</i>
<p><a name="8672">
</a>In the <b>server-home</b><b>/modules/tcl/gettcl.tcl</b> file, remove the following two lines:</p>
<pre>    <a name="8673"></a><code>ns_register_proc GET /NS/EvalTcl _ns_dyntcl_eval
</code>    <a name="8674"></a><code>ns_register_proc POST /NS/EvalTcl1 _ns_dyntcl_eval
</code></pre><p><p><a name="8675">
</a>Additionally, you may want to remove the following line from the same file, which will prevent the Tcl evaluation link from appearing when you access /NS/Admin:</p>
<pre>    <a name="8676"></a><code>&lt;LI&gt;Ad Hoc Evaluation
</code></pre><p><p><a name="8677">
</a>Search the rest of the <b>gettcl.tcl</b> file for any other instances of <code>_ns_dyntcl_eval</code> and remove them as well.</p>
<p><a name="8678">
</a>With AOLserver version 2.3, you can also disable the Tcl Evaluation ability by setting the EnableAdmin parameter to Off in the <b>nsd.ini</b> configuration file:</p>
<pre>    <a name="8679"></a><code>[ns/server/your-virtual-server/tcl]
</code>    <a name="8680"></a><code>EnableAdmin=Off
</code></pre><p><p><a name="8681">
</a>However, the safest method in all situations is to remove the <code>ns_register_proc</code> entries in the <b>gettcl.tcl</b> file as described above.</p>
<a name="8682">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8683">
</a>The /NS/EvalTcl feature does not exist. No action is necessary.</p>


<TABLE BORDER="2" CELLPADDING="1" width="100%">
<TR><TD COLSPAN=3><P ALIGN=Center>
<IMG SRC="bluebult.gif">
<A HREF="#topofpage">
<FONT SIZE=-1>Top of Page</FONT></A>
<IMG SRC="bluebult.gif">
</TD></TR>
<TR><TD COLSPAN=3><P ALIGN=Center>
<A href="sec-ch.htm">
<IMG  BORDER="0" src=navbprev.gif alt="[ Previous ]"></A>
<A href=toc.htm>
<IMG  BORDER="0" src=navbhome.gif alt="[ Contents ]"></A>
<A href=master.htm>
<IMG  BORDER="0" src=navbhelp.gif alt="[ Index ]"></A>
<A href="sec-ch2.htm">
<IMG  BORDER="0" src=navbnext.gif alt="[ Next ]"></A>
<BR align=center>
<FONT size=-1>Copyright &copy; 1998-99 America Online,
Inc.</FONT>
</TD></TR></TABLE></BODY></HTML>